Method And System For Encryption With Bidirectional Difference Propagation

ABSTRACT

An encryption method is disclosed, including two passes over a sequence of N input digital data X 1 , . . . X N  blocks where the first pass executes iterative linear algebraic operations from the last input block X N  to the first input block X 1  to obtain a sequence of intermediary resulting Y N  . . . Y 1  blocks. The second pass executes a block ciphering in a chaining mode from the first intermediary resulting Y 1  block to the last one Y N  to obtain a sequence of encrypted output Z 1  . . . Z N  blocks. The decryption is carried out only in one pass from the first input encrypted Z 1  block to the last input encrypted block Z N . The deciphering operations are executed in an iterative loop of inverse linear algebraic operations after deciphering the first input encrypted Z 1  block to obtain an output sequence of decrypted X 1 , . . . X N  blocks.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority under 35 U.S.C. Section 119 to U.S.Provisional Application No. 61/469,132, entitled “Method of encryptionwith bidirectional difference propagation” filed Mar. 30, 2011, and toEuropean Patent Application EP11160483.1 entitled “Method of encryptionwith bidirectional difference propagation” filed Mar. 30, 2011, thecontents of which are hereby incorporated by reference herein.

FIELD OF THE INVENTION

The invention relates to a method and a system adapted for encryptingand decrypting digital data divided into a plurality of blocks of a samelength. The method may be applied on access controlled data packets ofbroadcast multimedia services in the filed of pay TV.

TECHNICAL BACKGROUND

A known method for encrypting a sequence of data blocks consists of aCipher Block Chaining (CBC) process where each block of plaintext iscombined with the preceding ciphertext block by using XOR operationbefore being encrypted. Each ciphertext block is thus dependent on allplaintext blocks processed before a given block.

The CBC method requires a decryption module with a buffer able to storeat least two block lengths of digital data. Furthermore, a header blockwith a fixed bit pattern is generally provided at the beginning of eachsequence or packet of digital data. As the first block is combined witha fixed initial vector, this could result in a bit pattern recognizablein the encrypted data.

The block cipher modes of operation with chaining provide errorpropagation in only one direction. A “folklore” method to obtain aBidirectional Difference Propagation (BDP) is thus to make twoprocessing passes over the data blocks, in the two directions (firstblock to the last, and reverse) as described in document of GeorgeDanezis and Ben Laurie, “Minx: a simple and efficient anonymous packetformat”, in Vijay Atluri, Paul F. Syverson, and Sabrina De Capitani diVimercati, editors, WPES, pages 59-65. ACM, 2004. For both encryptionand decryption, the whole sequence of blocks needs to be kept in memory,with two layers of encryption and decryption.

U.S. Pat. No. 5,799,089 discloses a system for encrypting and decryptingdigital data wherein the data is divided in packets of N blocks X₁ . . .X_(N) of 2^(m) bits, comprises an encryption device and a decryptiondevice. The encryption device reverses the input sequence of the blocksX₁ . . . X_(N) before a XOR operation and next an encryption operationby means of an encryption algorithm E is carried out on each block of apacket. Thereby the following encrypted blocks Y₁ . . . Y_(N) areformed: The encrypted blocks Y₁ . . . Y_(N) are transferred by a senderin reversed sequence Y_(N) . . . Y₁ to a receiver. The decryption deviceat the receiver obtains the original blocks X₁ . . . X_(N) by carryingout a decryption operation by means of a decryption algorithm D and nexta XOR operation on each block Y_(N) . . . Y₁ received to obtain theoriginal blocks X₁ . . . X_(N). This system applies the aforementionedCipher Block Chaining (CBC) to a sequence of blocks in a reversed orderrelative to the order of the input sequence.

This block cipher mode of operation RCBC Reverse Cipher Block Chainingcan be used to achieve Bidirectional Difference Propagation (BDP), whencombined with another layer of encryption/decryption. With this method,encryption makes two processing passes over the data, and thus needs tokeep the whole sequence of blocks in memory. However, decryption is donein one pass over the data (with two encryption layers), and only twoblocks need be kept in memory.

The ciphering method BEAR and LION particularly adapted to large blocksdescribed by Ross J. Anderson and Eli Biham “Two practical and provablysecure block ciphers: BEAR and LION” and by Eli Biham, editor, “FastSoftware Encryption”, 4th International Workshop, FSE '97, Haifa,Israel, Jan. 20-22, 1997, Proceedings, volume 1267 of LNCS. Springer,1997, pages 113-120 provides BDP by using large, variable-size blocks.However both encryption and decryption need two passes over the data andmemory to store the whole sequence of blocks.

Other processes called All-or-nothing-transforms are described by RanCanetti, Yevgeniy Dodis, Shai Halevi, Eyal Kushilevitz, and Amit Sahai,“Exposure-resilient functions and all-or-nothing transforms”; in BartPreneel, editor, EUROCRYPT, volume 1807 of LNCS, pages 453-469,Springer, 2000 and by Ronald L. Rivest. “All-or-nothing encryption andthe package transform” in Eli Biham, editor, “Fast Software Encryption”,4th International Workshop, FSE'97, Haifa, Israel, Jan. 20-22, 1997,Proceedings, volume 1267 of LNCS. Springer, 1997, pages 210-218.

These processes achieve also BDP. However, the construction according toRonald L. Rivest “All-or-nothing encryption and the package transform”achieves Bidirectional Difference Propagation (BDP) with respect todecryption rather than encryption, it needs two levels of processing forencryption and decryption, and decryption needs memory for the wholesequence of blocks. Moreover, ciphertexts are longer than plaintexts byone block, and encryption is probabilistic, i.e., it uses an auxiliarypseudorandom generator.

SUMMARY OF THE INVENTION

The present invention aims to provide an efficient solution to theproblem of encrypting a plaintext of arbitrary length such that all bitsof the ciphertext depend on all bits of the plaintext. Therefore anydifference between any two plaintexts makes the two ciphertexts lookcompletely different. This property known as Bidirectional DifferencePropagation (BDP) gives a desirable security to encryption methods, asit dissimulates the position of plaintext differences to attackersobserving their respective ciphertexts. For example, when encryptingdata packets composed of possibly identical headers followed by avariable payload, BDP ensures that the beginning of the ciphertexts willdiffer.

The aims are achieved by a method and a system adapted for encryptingdigital data; said data being divided into a sequence of N blocks of asame length of n bits each,

The method comprising steps of:

a) Inputting the sequence of N blocks into a pre-processing modulecomprising a processor, registers, multiplier modules, addition modules,inverter modules, and a memory containing a set of elements invertiblewithin a predetermined algebraic structure,b) Multiplying, by a multiplier module, each block by an element of theset to obtain a sequence of intermediary blocks,c) Adding, by an addition module, the last intermediary block to theimmediately preceding intermediary block to obtain a resulting block,the last intermediary block corresponding to the last resulting block,d) Adding the previously obtained resulting block to the immediatelypreceding intermediary block to obtain a resulting block,e) Repeating step d) until the step of adding the second resulting blockto the first resulting block, said first resulting block being formed bythe addition of all intermediary blocks,f) Outputting a sequence of resulting blocks each having a lengthidentical to a corresponding block of the input sequence.g) Ciphering each resulting blocks, by a ciphering module, with a blockcipher in a chaining mode from the first resulting block to the lastresulting block with a ciphering algorithm to produce a sequence ofciphered blocks, said ciphered blocks having each a length correspondingto the length of the input bocks.

The method of the invention improves memory and computational efficiencyin relation to the methods of the prior art. In fact, the encryptionrequires executing two processing passes over the plaintext inputblocks, one with a linear algebra operation followed by one cipheringlayer, requiring memory for the whole sequence of data blocks.

The invention further relates to a system configured to carry out themethod.

The decryption requires executing one processing pass over theciphertext with one layer of decryption and a linear algebra operationcomputed in pipeline, requiring memory for two blocks.

The produced output ciphertext blocks have the same length as the inputplaintext blocks.

The table below shows the differences between the number ofencryption/decryption passes and encryption/decryption layers of theprior art solutions and the same of the present solution.

Encryption Decryption. Encryption. Decryption. Solution passes passeslayers layers Folklore 2 2 2 2 RCBC mode 2 1 2 2 Large blocks 2 2 1 1BEAR-LION All-or-nothing 2 1 2 2 The present 2 1 1 1 solution

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be better understood with the following detaileddescription, which refers to the attached figure given as anon-limitative example.

FIG. 1 shows a block diagram of the encryption process where the firstpass of pre-processing begins with the last block of the input sequenceand ends with the first block. After obtaining a sequence ofintermediary blocks, a second pass of ciphering is applied in a chainingmode on each intermediary block from the first to the last block.

FIG. 2 shows a block diagram of an embodiment of the encryption processshown by FIG. 1 applied in a ring GF(2)^(n) with logical XOR and ANDoperations.

FIG. 3 shows a block diagram of the decryption process of input blockspreviously encrypted as shown in FIG. 1. The process begins with thedeciphering of the first block and obtaining the following decryptedblocks in one pass by successive deciphering, and inverse algebraoperations of the encryption process until obtaining the last decryptedblock.

FIG. 4 shows a block diagram of the decryption process applied in a ringGF(2)^(n) with logical XOR and AND operations to blocks encryptedaccording to process shown by FIG. 2.

DETAILED DESCRIPTION OF THE INVENTION

The digital data of the plaintext to encrypt are divided into a sequence(X₁, X₂, X₃ . . . , X_(N)) of N blocks having each a same length of nbits. In a similar way, ciphertext data (Z₁, Z₂, Z₃, . . . , Z_(N))encrypted by the method of the invention are also divided into N blockshaving each a same length of n bits.

In mathematics, each of these blocks is an element of a finite ring R(+,*), i.e. an algebraic structure consisting of a set R together with twobinary operations usually called addition (+) and multiplication (*)satisfying at least the known criteria of closure, associativity, anddistributivity of multiplication over addition. The ring R(+, *) furthercomprises an inverse element for both addition and multiplicationoperations, and each element has a unique additive inverse.

Encryption

In the encryption process the sequence of N plaintext blocks (X₁, X₂, X₃. . . , X_(N)) is entered into a pre-processing module comprisinghardware and software modules, such as registers, multipliers, additionmodules, inverter modules controlled by a processor. The pre-processingmodule carries out a first processing pass A by executing successivemathematical operations on the N input blocks sequence (X₁, X₂, X₃ . . .X_(N)) and obtains a sequence of resulting blocks (Y₁, Y₂, Y₃ . . .Y_(N)). A second processing pass B carries out a ciphering operationusing a predetermined algorithm on each resulting blocks (Y₁, Y₂, Y₃ . .. Y_(N)) in a chaining mode to produce a sequence of ciphertext blocks(Z₁, Z₂, Z₃, . . . Z_(N)).

In a preferred embodiment, the mathematical operations are executedmostly with hardware modules known for their high speed and highreliability calculation performances relative to software programmodules.

The pre-processing further comprises a memory containing a set ofelements (m₁, m₂, m₃ . . . m_(N)) used as coefficients multiplying eachblock of the input sequence (X₁, X₂, X₃ . . . X_(N)). These elements(m₁, m₂, m₃ . . . m_(N)) must be invertible within the ring R(+, *),i.e. any input block X can be recovered from any intermediary block X*m,obtained by multiplying the input block X by a coefficient m, bycarrying out a multiplication by the multiplicative inverse of m ordivision by m. In other words m must be different than the null elementfor the multiplication operation (*) within the predetermined algebraicstructure i.e. the ring R(+, *).

The first processing pass A consisting of executing linear algebraicoperation shown by FIG. 1 can be expressed as follow:

The sequence of N blocks of plaintext (X₁, X₂, X₃ . . . X_(N)) can benoted as a column vector A. The sequence of the blocks (Y₁, Y₂, Y₃ . . .Y_(N)) resulting from the linear algebraic operation can be noted as acolumn vector B.

The vector B is then obtained by multiplying an upper triangular squarematrix M of N×N elements by the vector A The matrix M is populated rowby row in the right upper half, including the diagonal, by N elements(m₁, m₂, m₃ . . . m_(N)), the columns containing each the same element.As mentioned above, the N elements (m₁, m₂, m₃ . . . m_(N)) belong tothe ring R(+, *) and are invertible.

B = M × A  where ${A = {{\begin{pmatrix}X_{1} \\X_{2} \\X_{3} \\\ldots \\X_{N - 2} \\X_{N - 1} \\X_{N^{*}}\end{pmatrix}\mspace{14mu} B} = {\begin{pmatrix}Y_{1} \\Y_{2} \\Y_{3} \\\ldots \\Y_{N - 2} \\Y_{N - 1} \\Y_{N^{*}}\end{pmatrix}\mspace{20mu} {and}}}}\mspace{14mu}$$M = \begin{pmatrix}m_{1} & m_{2} & m_{3} & \ldots & m_{N - 2} & m_{N - 1} & m_{N} \\\; & m_{2} & m_{3} & \ldots & m_{N - 2} & m_{N - 1} & m_{N} \\\; & \; & m_{3} & \ldots & m_{N - 2} & m_{N - 1} & m_{N} \\\; & \; & \; & \ldots & m_{N - 2} & m_{N - 1} & m_{N} \\\; & \; & \; & \; & m_{N - 2} & m_{N - 1} & m_{N} \\\; & \; & \; & \; & \; & m_{N - 1} & m_{N} \\\; & \; & \; & \; & \; & \; & m_{N}\end{pmatrix}$ $\begin{matrix}{{M \times A} = \begin{pmatrix}m_{1} & m_{2} & m_{3} & \ldots & m_{N - 2} & m_{N - 1} & m_{N} \\\; & m_{2} & m_{3} & \ldots & m_{N - 2} & m_{N - 1} & m_{N} \\\; & \; & m_{3} & \ldots & m_{N - 2} & m_{N - 1} & m_{N} \\\; & \; & \; & \ldots & m_{N - 2} & m_{N - 1} & m_{N} \\\; & \; & \; & \; & m_{N - 2} & m_{N - 1} & m_{N} \\\; & \; & \; & \; & \; & m_{N - 1} & m_{N} \\\; & \; & \; & \; & \; & \; & m_{N}\end{pmatrix}} \\{{= \begin{pmatrix}Y_{1} \\Y_{2} \\Y_{3} \\\ldots \\Y_{N - 2} \\Y_{N - 1} \\Y_{N^{*}}\end{pmatrix}}\mspace{11mu}} \\{= B}\end{matrix} \times \begin{pmatrix}X_{1} \\X_{2} \\X_{3} \\\ldots \\X_{N - 2} \\X_{N - 1} \\X_{N^{*}}\end{pmatrix}$

By carrying out the matrix multiplication x, the first resulting Yblocks are

$Y_{1} = {{m_{1}^{*}X_{1}} + \underset{Y_{2}}{\underset{}{{m_{2}^{*}X_{2}} + {m_{3}^{*}X_{3}} + \ldots + {m_{N - 2}^{*}X_{N - 2}} + {m_{N - 1}^{*}X_{N - 1}} + {m_{N}^{*}X_{N}}}}}$  or  Y₁ = m₁^(*)X₁ + Y₂$\mspace{20mu} {Y_{2} = {{m_{2}^{*}X_{2}} + \underset{Y_{3}}{\underset{}{{m_{3}^{*}X_{3}} + \ldots + {m_{N - 2}^{*}X_{N - 2}} + {m_{N - 1}^{*}X_{N - 1}} + {m_{N}^{*}X_{N}}}}}}$  or  Y₂ = m₂^(*)X₂ + Y₃$\mspace{20mu} {Y_{3} = {{m_{3}^{*}X_{3}} + \underset{Y_{4}}{\underset{}{\ldots + {m_{N - 2}^{*}X_{N - 2}} + {m_{N - 1}^{*}X_{N - 1}} + {m_{N}^{*}X_{N}}}}}}$

or Y₃=m₃*X₃+Y₄ and so on for all elements of the matrix M.

The last resulting block will be Y_(N)=m_(N)*X_(N)

In practice, the calculation carried out by the pre-processing modulestarts by the multiplication of each input plaintext block (X₁, X₂, X₃ .. . X_(N)) by an element of the set (m₁, m₂, m₃ . . . m_(N)) stored inthe memory. A sequence of intermediary blocks (X₁*m₁, X₂*m₂, X₃*m₃ . . .X_(N)*m_(N)) is thus obtained.

The process continues by beginning with the last intermediary blockX_(N)*m_(N) which is already the last resulting block Y_(N)=m_(N)*X_(N).The arrow A of the FIG. 1 illustrates the direction of the operations.

The further resulting blocks Y_(i) are obtained by successively addingone by one each intermediary block X_(i)*m_(i) to the result of thepreceding additions started from the last intermediary blockX_(N)*m_(N). (i being an index going from 1 to N)

These iterative adding steps can be summarized as follow:

1) Set Y_(N)=m_(N)*X_(N)2) For i=N−1 to 1, set Y_(i)=(m_(i)*X_(i))+Y_(i+1)

The process ends when the first resulting block Y₁ is obtained by theaddition of all intermediary blocks (X₁*m₁, X₂*m₂, X₃*m₃ . . .X_(N)*m_(N)), i.e. when i=1, Y₁=m₁*X₁+Y₂.

The resulting blocks (Y₁) Y₂, Y₃ . . . Y_(N)) having each a lengthidentical to a corresponding block (X₁, X₂, X₃ . . . X_(N)) of the inputsequence are forwarded to a ciphering module C.

In a second processing pass B (arrow B in FIG. 1), each block Y is thenciphered by a ciphering module C in a chaining mode by starting from thefirst resulting block Y1 to last resulting block Y_(N), as shown by thearrows linking the ciphering module C represented by FIG. 1. Theciphering algorithm used may be any standard one such as DES, RSA, IDEA,etc. with symmetrical or asymmetrical keys.

Each resulting blocks of the sequence (Y₁, Y₂, Y₃ . . . Y_(N)) producesa corresponding ciphered blocks sequence (Z₁, Z₂, Z₃, . . . Z_(N))having each a same length.

The bidirectional difference propagation effect is thus provided fromthe last to the first block by the linear algebra operations (first passA) and from the first to the last block by the ciphering layer (secondpass B), once all the resulting blocks (Y₁, Y₂, Y₃ . . . Y_(N)) areobtained by the first pass A.

Another effect is that each ciphered block (Z₁, Z₂, Z₃, . . . Z_(N−1))are dependent each other except the last block Z_(N). An error in any Xblock will thus affect all ciphered Z blocks produced by the X blockspreceding the erroneous X block. For example if block X₅ is corruptedblocks Y₄, Y₃, Y₂ and Y₁ will be also affected as well as the cipheredblocks Z₄, Z₃, Z₂, Z₁. When the last input block X_(N) is corrupted allblocks will be affected while an error on the first block input X₁ willhave a minimal effect.

According to an embodiment, the invertible elements (m₁, m₂, m₃ . . .m_(N)) are all equal to a value corresponding to the multiplicativeidentity of the predetermined algebraic structure. The sequence ofintermediary blocks (X₁*m₁, X₂*m₂, X₃*m₃ . . . X_(N)*m_(N)) is thusequal to the input block sequence (X₁, X₂, X₃ . . . X_(N)). The matrix Mincludes only the multiplicative identity at the places of the (m₁, m₂,m₃, . . . m_(N)) elements.

In this case, the iterative adding steps can be summarized as follow:

1) Set Y_(N)=X_(N)

2) For i=N−1 to 1, set Y_(i)=X_(i)+Y_(i+1)

According to a further embodiment the blocks (X₁, X₂, X₃, . . . X_(N))and the resulting blocks (Y₁, . . . Y_(N)) are elements of a finiteGallois ring GF(2)^(n) (*, +) including binary elements of n bits wheremultiplication (*) corresponds to logical AND operation and addition (+)corresponds to logical XOR operation carried out bitwise. The invertibleelements (m₁, m₂, m₃ . . . m_(N)) may have any value different than thenull element for the logical AND operation within the ring GF(2)^(n)(AND, XOR). Some elements (m₁, m₂, m₃ . . . m_(N)) may also be equal tothe multiplicative identity.

FIG. 2 shows a further embodiment of the encryption process where theinvertible elements (m₁, m₂, m₃, . . . m_(N)) are all equal to a valuecorresponding to the multiplicative identity i.e. a string of n bit “1”in the ring GF(2)^(n) (*, +). The multiplication (*) corresponds tological AND operation and addition (+) corresponds to logical XORoperation carried out bitwise, i.e. the finite ring is defined asGF(2)^(n) (AND, XOR). Thus an input block (X AND Identity) gives theinput block X itself which is set as the intermediary block of thepreceding embodiment. Therefore the step of multiplying each input blockby an invertible element is suppressed.

The process begins then with the last input block X_(N) which is set asthe last resulting block Y_(N). The arrow of the FIG. 1 illustrates thedirection of the operations.

The further resulting blocks Y_(i) are obtained by successively “adding”(XOR operation) one by one to each input block X_(i) to the result ofthe preceding “additions” (XOR operations) started from the last inputblock X_(N). (i being an index going from 1 to N)

These iterative XOR steps can be summarized as follow:

1) Set Y_(N)=X_(N)

2) For i=N−1 to 1, set Y_(i)=X_(i)⊕Y_(i+1), where ⊕ represents logicalXOR operation

The process ends when the first resulting block Y₁ is obtained by theaddition of all input blocks (X₁, X₂, X₃, . . . X_(N)), i.e. when i=1,Y₁=X₁+Y₂.

The resulting blocks (Y₁, Y₂, Y₃ . . . Y_(N)) having each a lengthidentical to a corresponding input block (X₁, X₂, X₃ . . . X_(N)) of theinput sequence are forwarded to a ciphering module C.

In a second processing pass B, each block Y is then ciphered by aciphering module C in a chaining mode by starting from the firstresulting block Y1 to last resulting block Y_(N), as shown by the arrowslinking the ciphering module C represented by FIG. 2. The cipheringalgorithm used may be any standard one such as DES, RSA, IDEA, etc. withsymmetrical or asymmetrical keys.

Each resulting blocks of the sequence (Y₁, Y₂, Y₃ . . . Y_(N)) producesa corresponding ciphered blocks sequence (Z₁, Z₂, Z₃, . . . , Z_(N))having each a same length.

Decryption

The digital data encrypted according to the above described method arefirst divided data into a sequence of N encrypted blocks (Z₁, Z₂, Z₃ . .. Z_(N)) each of a same length of n bits. The decryption is carried outin one pass A contrarily to the encryption which requires two passes Aand B. In FIG. 3, the decryption from input Z block to output X blocksprogression is shown by the arrow A directed from left to the right. Adeciphering module D deciphers the two first input encrypted blocks Z₁and Z₂ by using a deciphering algorithm corresponding to the algorithmused for ciphering and obtains two first deciphered intermediateresulting blocks Y₁ and Y₂ which are stored into a buffer or a register.

The first deciphered intermediate resulting block Y₁ is then input intothe pre-processing module for calculating by the addition, multiplierand inverter modules, a first decrypted resulting block X₁=(Y₁−Y₂)/m₁.The second intermediate deciphered resulting block Y₂ is subtracted tothe first deciphered intermediate resulting block Y₁ and the result ofthe subtraction is divided by the first element m₁ of the set (m₁, m₂,m₃ . . . m_(N)) stored in the memory of the pre-processing module.

In the ring R(*, +), the subtraction corresponds to an addition of theadditive inverse of the block Y and the division corresponds to themultiplication of the multiplicative inverse of the element m which isinvertible.

The process continues by deciphering each following ciphered block Z₃,Z₄, . . . Z_(N), and calculating successively, after obtaining eachintermediate deciphered resulting block Y₃, Y₄, . . . Y_(N), eachdecrypted resulting block X₃ X₄, . . . X_(N) by subtracting to anintermediate deciphered resulting block Y_(i) obtained, the immediatelyfollowing intermediate deciphered resulting block Y_(i+1) and dividingthe result of the subtraction by an element m_(i), where i is an indexgoing from 1 to N.

At the end of the process, the penultimate decrypted resulting blockX_(N−1)=(Y_(N−1)−Y_(N))/m_(N−1) is obtained by subtracting to thepenultimate intermediate deciphered resulting block Y_(N−1) the lastintermediate deciphered resulting block Y_(N) and by dividing the resultof the subtraction by the penultimate element m_(N−1) of the set (m₁,m₂, m₃ . . . m_(N)). The last intermediate deciphered resulting blockY_(N) is then divided by the last element m_(N) to obtain the lastdecrypted resulting block X_(N).

The decryption processing pass can be summarized as follow:

1) Decipher Z₁ to obtain Y₁,2) For i=1 to N−1

-   -   Decipher the block Z_(i+1) to obtain Y_(i+1),    -   Set X_(i)=(Y_(i)−Y_(i+1))/m_(i)        3) Set X_(N)=Y_(N)/m_(N)

In the embodiment where the invertible elements (m₁, m₂, m₃ . . . m_(N))are all equal to a value corresponding to the multiplicative identity ofthe predetermined algebraic structure, the decryption process will besimplified as follow:

1) Decipher Z₁ to obtain Y₁,2) For i=1 to N−1

-   -   Decipher the block Z_(i+1) to obtain Y_(i+1),    -   Set X_(i)=Y_(i)−Y_(i+1)

3) Set X_(N)=Y_(N)

According to a further embodiment the decrypted resulting block (X₁, X₂,X₃, . . . X_(N)) and the intermediate deciphered resulting blocks (Y₁, .. . Y_(N)) are elements of a finite Gallois ring GF(2)^(n) (*, +)including binary elements of n bits where multiplication (*) correspondsto logical AND operation and addition (+) corresponds to logical XORoperation carried out bitwise. The invertible elements (m₁, m₂, m₃ . . .m_(N)) may have any value different than the null element for thelogical AND operation within the ring GF(2)^(n) (AND, XOR). Someelements (m₁, m₂, m₃ . . . m_(N)) may also be equal to themultiplicative identity.

FIG. 4 shows the embodiment of the decryption process where theinvertible elements (m₁, m₂, m₃ . . . m_(N)) are all equal to a valuecorresponding to the multiplicative identity. The multiplication (*)corresponds to logical AND operation and addition (+) corresponds tological XOR operation carried out bitwise.

The process begins then with the first and second input block Z₁ Z₂which are deciphered to obtain the corresponding first and the secondintermediary resulting blocks Y₁ and Y₂.

The further resulting blocks Y_(i) are obtained by successivelydeciphering and “adding” (XOR operation) two consecutive intermediaryresulting blocks Y₁, Y_(i+1) after each deciphering of an inputencrypted block Z₁.

In the ring GF(2)^(n) (AND, XOR), calculations are particularlysimplified thanks to XOR operation which is involutive, i.e. the inverseof the XOR operation is XOR operation itself, and also commutative (Y₁XOR Y₂)=(Y₂ XOR Y₁).

The iterative deciphering and XOR steps can be summarized as follow:

1) Decipher Z₁ to obtain Y₁,2) For i=1 to N−1

-   -   Decipher the block Z_(i+1) to obtain Y_(i+1),    -   Set X_(i)=Y_(i)⊕Y_(i+1) where ⊕ represents XOR operation

3) Set X_(N)=Y_(N)

Unlike the encryption process where the algebraic operation and theciphering operations are executed in two separate passes, the decryptionprocess executes, in only one pass, deciphering for obtaining one afterthe other an immediately following intermediate deciphered resultingblock Y_(i+1) to subtract from the intermediate deciphered resultingblock Y_(i) obtained just before. In other words input encrypted blockZ_(i) deciphering operation is included in the algebraic iterativeadditions loop of consecutive intermediary resulting blocks Y_(i) withthe index i progressing from 1 to N−1.

In an analogous way of the encryption, each encrypted block (Z₁, Z₂, Z₃,. . . Z_(N−1)) are dependent each other except the last block Z_(N). Anerror in any Z block will thus affect all decrypted X blocks produced bythe Z blocks following the erroneous Z block. For example if block Z₃ iscorrupted deciphered intermediate blocks Y₄, Y₅, . . . until thepenultimate block Y_(N−1) will be also affected as well as thecorresponding decrypted output blocks X₄, X₅, . . . , X_(N−1). When thefirst input block Z₁ is corrupted all blocks will be affected while anerror on the last input block Z_(N) will have a minimal effect.

1. A method for encrypting digital data, said data being divided into asequence of N blocks of a same length of n bits each, comprising stepsof: a) inputting the sequence of N blocks into a pre-processing modulecomprising a processor, registers, multiplier modules, addition modules,inverter modules, and a memory containing a set of N invertibleelements, the N blocks and the N elements of the set being within apredetermined algebraic structure, b) multiplying, by a multipliermodule, each block by an element of the set to obtain a sequence of Nintermediary blocks composed by a first block multiplied by a firstelement, a second block multiplied by a second element, a third blockmultiplied by a third element and so on until a last intermediary blockcomposed by a last block multiplied by a last element, c) adding, by anaddition module, the last intermediary block to the immediatelypreceding intermediary block to obtain a resulting block, the lastintermediary block corresponding to the last resulting block, d) addingthe previously obtained resulting block to the immediately precedingintermediary block to obtain a further resulting block, e) repeatingstep d) until the step of adding the second resulting block to the firstresulting block, said first resulting block being formed by the additionof all N intermediary blocks. f) outputting a sequence of N resultingblocks, each having a length identical to a corresponding block of theinput sequence of N blocks, and g) ciphering each resulting blocks ofthe sequence, by a ciphering module, with a block cipher in a chainingmode from the first resulting block to the last resulting block with aciphering algorithm to produce a sequence of N encrypted blocks, saidencrypted blocks having each a same length.
 2. The method according toclaim 1 wherein the N invertible elements of the set are all equal to avalue corresponding to the multiplicative identity of the predeterminedalgebraic structure.
 3. The method according to claim 2, wherein the Nblocks of the input sequence and the N resulting blocks are elements ofa finite Gallois ring including binary elements of n bits wheremultiplication corresponds to logical AND operation and additioncorresponds to logical XOR operation carried out bitwise.
 4. The methodaccording to claim 2 wherein the N invertible elements of the set areall equal to a value corresponding to the multiplicative identity of thepredetermined algebraic structure and wherein the N blocks and the Nresulting blocks are elements of a finite Gallois ring including binaryelements of n bits where multiplication corresponds to logical ANDoperation and addition corresponds to logical XOR operation carried outbitwise, comprising steps of: a) inputting the sequence of N blocks intothe pre-processing module, b) executing bitwise XOR operation with thelast block and the immediately preceding block to obtain a resultingblock, the last block corresponding to the last resulting block, c)executing bitwise XOR operation with the previously obtained resultingblock and the immediately preceding block to obtain a resulting block,d) repeating step c) until the step of executing bitwise XOR operationwith the second resulting block and the first resulting block, saidfirst resulting block being formed by the bitwise XOR operation executedwith all N blocks. e) outputting a sequence of N resulting blocks, eachhaving a length equivalent to a corresponding block of the inputsequence of N blocks, and f) ciphering each resulting blocks with ablock cipher in a chaining mode from the first resulting block to thelast resulting block with a ciphering algorithm to produce a sequence ofN encrypted blocks.
 5. The method for decrypting digital data encryptedaccording to the method of claim 1, said data being divided into asequence of N encrypted blocks of a same length of n bits each,comprising steps of: a) deciphering by a deciphering module the firstencrypted block with a deciphering algorithm to obtain a firstdeciphered intermediate resulting block, b) deciphering, by thedeciphering module, the immediately following encrypted block to obtaina following deciphered intermediate resulting block, c) inputting thefirst deciphered intermediate resulting block into a pre-processingmodule comprising a processor, registers, multiplier modules, additionmodules, inverter modules, and a memory containing a set of N invertibleelements within a predetermined algebraic structure, d) calculating bythe addition, multiplier and inverter modules, a first decryptedresulting block by subtracting to the first intermediate decipheredresulting block the immediately following intermediate decipheredresulting block and by dividing the result of the subtraction by thefirst invertible element of the set of N elements, e) repeating thesteps b) to d) with each following encrypted block, until step ofobtaining the penultimate decrypted resulting block by subtracting tothe penultimate intermediate deciphered resulting block the lastintermediate deciphered resulting block and by dividing the result ofthe subtraction by the penultimate element of the set of N elements. f)dividing the last intermediate deciphered resulting block by the lastelement of the set of N elements to obtain the last decrypted resultingblock and, g) outputting a sequence of N decrypted resulting blocks saidN decrypted resulting blocks having each a same length.
 6. The methodaccording to claim 5 wherein the N invertible elements of the set areall equal to a value corresponding to the multiplicative identity of thepredetermined algebraic structure.
 7. The method according to claim 6,wherein the N decrypted resulting blocks and the N intermediatedeciphered resulting blocks are elements of a finite Gallois ringincluding binary elements of n bits where multiplication corresponds tological AND operation and addition corresponds to logical XOR operationcarried out bitwise.
 8. The method according to claim 6, wherein the Ninvertible elements are all equal to a value corresponding to themultiplicative identity of the predetermined algebraic structure andwherein the N decrypted resulting blocks and the N intermediatedeciphered resulting blocks are elements of a finite Gallois ringincluding binary elements of n bits where multiplication correspond tological AND operation and addition correspond to logical XOR operationcarried out bitwise, comprising steps of: a) deciphering by adeciphering module the first encrypted block with a decipheringalgorithm to obtain a first intermediate deciphered resulting block, b)deciphering, by the deciphering module, the immediately followingencrypted block to obtain a following intermediate deciphered resultingblock, c) inputting the first intermediate deciphered resulting blockinto the pre-processing module, d) calculating a first resultingdecrypted block by executing bitwise XOR operation with the firstintermediate deciphered resulting block and the immediately followingintermediate deciphered resulting block, e) repeating the steps b) to d)with each following encrypted block, until step of obtaining thepenultimate decrypted resulting block by executing bitwise XOR operationwith the penultimate intermediate deciphered resulting block and thelast intermediate deciphered resulting block, said last intermediatedeciphered resulting block corresponding to the last decrypted resultingblock, and f) outputting a sequence of N decrypted resulting blocks saidN decrypted resulting blocks having each a same length.
 9. A systemconfigured to encrypt digital data, said data being divided into asequence of N blocks of a same length of n bits each, comprising: a) apre-processing module comprising a processor, registers, multipliermodules, addition modules, inverter modules, and a memory containing aset of N invertible elements, the N blocks and the N elements of the setbeing within a predetermined algebraic structure, the pre-processingmodule being adapted to receive the sequence of N blocks at an input, b)the multiplier modules being configured to multiply each block by anelement of the set to obtain a sequence of N intermediary blockscomposed by a first block multiplied by a first element, a second blockmultiplied by a second element, a third block multiplied by a thirdelement and so on until a last intermediary block composed by a lastblock multiplied by a last element, c) the addition modules beingconfigured to add the last intermediary block to the immediatelypreceding intermediary block to obtain a resulting block, the lastintermediary block corresponding to the last resulting block, d) theaddition modules being further configured to add the previously obtainedresulting block to the immediately preceding intermediary block toobtain a further resulting block, e) the addition modules being furtherconfigured to repeat the preceding addition operation until adding thesecond resulting block to the first resulting block, said firstresulting block being formed by the addition of all N intermediaryblocks. f) the pre-processing module being adapted to output a sequenceof N resulting blocks, each having a length identical to a correspondingblock of the input sequence of N blocks, and g) a ciphering moduleconfigured to cipher each resulting blocks of the sequence with a blockcipher in a chaining mode from the first resulting block to the lastresulting block with a ciphering algorithm and to produce a sequence ofN encrypted blocks, said encrypted blocks having each a same length. 10.The system according to claim 9 wherein the N invertible elements of theset are all equal to a value corresponding to the multiplicativeidentity of the predetermined algebraic structure.
 11. The systemaccording to claim 10, wherein the N blocks of the input sequence andthe N resulting blocks are elements of a finite Gallois ring includingbinary elements of n bits where multiplication corresponds to logicalAND operation and addition corresponds to logical XOR operation carriedout bitwise.
 12. The system according to claim 10 wherein the Ninvertible elements of the set are all equal to a value corresponding tothe multiplicative identity of the predetermined algebraic structure andwherein the N blocks and the N resulting blocks are elements of a finiteGallois ring including binary elements of n bits where multiplicationcorresponds to logical AND operation and addition corresponds to logicalXOR operation carried out bitwise, comprising: a) the pre-processingmodule being configured to receive the sequence of N blocks at an input,b) the addition modules being configured to execute bitwise XORoperation with the last block and the immediately preceding block toobtain a resulting block, the last block corresponding to the lastresulting block, c) the addition modules being further configured toexecute bitwise XOR operation with the previously obtained resultingblock and the immediately preceding block to obtain a resulting block,d) the addition modules being configured to repeat the preceding bitwiseXOR operation until executing the bitwise XOR operation with the secondresulting block and the first resulting block, said first resultingblock being formed by the bitwise XOR operation executed with all Nblocks. e) the pre-processing module being adapted to output a sequenceof N resulting blocks, each having a length equivalent to acorresponding block of the input sequence of N blocks. f) the cipheringmodule being configured to cipher each resulting blocks with a blockcipher in a chaining mode from the first resulting block to the lastresulting block with a ciphering algorithm and to produce a sequence ofN encrypted blocks.
 13. The system configured for decrypting digitaldata encrypted by the system according to claim 9, said data beingdivided into a sequence of N encrypted blocks of a same length of n bitseach, comprising: a) a deciphering module configured to decipher thefirst encrypted block with a deciphering algorithm to obtain a firstdeciphered intermediate resulting block, b) the deciphering module beingfurther configured to decipher the immediately following encrypted blockto obtain a following deciphered intermediate resulting block, c) apre-processing module comprising a processor, registers, multipliermodules, addition modules, inverter modules, and a memory containing aset of N invertible elements within a predetermined algebraic structure,the pre-processing module being adapted to receive the first decipheredintermediate resulting block at an input, d) the addition modules, themultiplier and the inverter modules being configured to calculate afirst decrypted resulting block by subtracting to the first intermediatedeciphered resulting block the immediately following intermediatedeciphered resulting block and by dividing the result of the subtractionby the first invertible element of the set of N elements, e) thedeciphering module, the addition modules, the multiplier and theinverter modules being further configured to repeat deciphering andcalculating operations with each following encrypted block, untilobtaining the penultimate decrypted resulting block by subtracting tothe penultimate intermediate deciphered resulting block the lastintermediate deciphered resulting block and by dividing the result ofthe subtraction by the penultimate element of the set of N elements. f)the inverter modules being further configured to divide the lastintermediate deciphered resulting block by the last element of the setof N elements to obtain the last decrypted resulting block, g) thepre-processing module being adapted to output a sequence of N decryptedresulting blocks said N decrypted resulting blocks having each a samelength.
 14. The system according to claim 13 wherein the N invertibleelements of the set are all equal to a value corresponding to themultiplicative identity of the predetermined algebraic structure. 15.The system according to claim 14, wherein the N decrypted resultingblocks and the N intermediate deciphered resulting blocks are elementsof a finite Gallois ring including binary elements of n bits wheremultiplication corresponds to logical AND operation and additioncorresponds to logical XOR operation carried out bitwise.
 16. The systemaccording to claim 14, wherein the N invertible elements are all equalto a value corresponding to the multiplicative identity of thepredetermined algebraic structure and wherein the N decrypted resultingblocks and the N intermediate deciphered resulting blocks are elementsof a finite Gallois ring including binary elements of n bits wheremultiplication correspond to logical AND operation and additioncorrespond to logical XOR operation carried out bitwise, comprising: a)the deciphering module being configured to decipher the first encryptedblock with a deciphering algorithm to obtain a first intermediatedeciphered resulting block, b) the deciphering module being furtherconfigured to decipher the immediately following encrypted block toobtain a following intermediate deciphered resulting block, c) thepre-processing module being adapted to receive the first decipheredintermediate resulting block at an input, d) the addition modules beingconfigured to calculate a first resulting decrypted block by executingbitwise XOR operation with the first intermediate deciphered resultingblock and the immediately following intermediate deciphered resultingblock, e) the deciphering module and the addition modules being furtherconfigured to repeat deciphering and bitwise XOR operations with eachfollowing encrypted block, until obtaining the penultimate decryptedresulting block by executing bitwise XOR operation with the penultimateintermediate deciphered resulting block and the last intermediatedeciphered resulting block, said last intermediate deciphered resultingblock corresponding to the last decrypted resulting block, f) thepre-processing module being adapted to output a sequence of N decryptedresulting blocks said N decrypted resulting blocks having each a samelength.